Anti-censorship issueshttps://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues2023-06-11T05:41:55Zhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/28168Use ESNI via Firefox HTTPS helper2023-06-11T05:41:55ZDavid Fifielddcf@torproject.orgUse ESNI via Firefox HTTPS helperAs of 2018-10-18, [Firefox Nightly supports](https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/) encrypted SNI, and [Cloudflare supports it](https://blog.cloudflare.com/esni/) on the server side. Because...As of 2018-10-18, [Firefox Nightly supports](https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/) encrypted SNI, and [Cloudflare supports it](https://blog.cloudflare.com/esni/) on the server side. Because meek supports using Firefox as a channel for issuing HTTPS requests, it ought to be pretty easy to adapt the meek client software to use ESNI rather than domain fronting. The server software doesn't need any change.
These steps are untested:
1. Download Tor Browser and Firefox Nightly.
1. Go to about:config in Firefox Nightly and set
* network.trr.mode=3
* network.trr.uri=https<span>://</span>1.1.1.1/dns-query
* network.security.esni.enabled=true
1. Copy the meek-http-helper<span>@</span>bamsoftware.com.xpi from Tor Browser to Firefox Nightly.
1. Hack meek-client-torbrowser/{mac,linux,windows}.go to point `firefoxPath` at the copy of Firefox Nightly and disable the custom profile. (Additional hacks to remove hardcoded Tor Browser assumptions may be required.)
1. Set up a Cloudflare instance pointing to https<span>://</span>meek.bamsoftware.com/, call it https<span>://</span>meek.example.com/.
1. Set up a [custom bridge](/legacy/trac/-/wikis/doc/meek#how-to-change-the-front-domain) in Tor Browser, using `url=` without `front=` (because we're no longer domain fronting).
```
bridge meek 0.0.2.0:3 url=https://meek.example.com/
```
Of course, once ESNI support makes it into the version of Firefox used by Tor Browser, this will be even easier, not requiring a separate Firefox Nightly.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/trac/-/issues/28035Goal 2019 Add 2 New Bridge types to replace OBFS4 Bridges2020-06-27T13:43:52ZTracGoal 2019 Add 2 New Bridge types to replace OBFS4 BridgesThe author of this bridge stated there is no real anon with this bridge or security provided other than simple box obfuscation.
It is time to set 2019 to devote to a real new solution for bridges.
I don't know about Snowflake but I g...The author of this bridge stated there is no real anon with this bridge or security provided other than simple box obfuscation.
It is time to set 2019 to devote to a real new solution for bridges.
I don't know about Snowflake but I guess if people only want to work on one solution that is their choice but I think some leadership organization needs to address the lack of real Bridge development. Most of the Advertised future bridges are years old and still lack any real development other than the initial research papers. Maybe the development is private? Probably, but since Tor cannot act in private it needs to coax out some open development.
I have no inclination to the correct path other than it needs some "Highway Development"
Roll it all out into Alpha tor I don't care throw whatever bridges are available and let people test them. If they are not deemed possibly better than Obsf4 proxy don't even bother.
**Trac**:
**Username**: TorCubhttps://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/27984bridgedb verifyHostname doesn't check subjectAltName extension2021-07-09T18:27:09ZTracbridgedb verifyHostname doesn't check subjectAltName extensionCurrently, bridgedb/crypto.py function verifyHostname uses the certificate's commonName exclusively to perform a hostname match.
RFC 5280 demands that the presence of the subjectAltName (SAN) extension is checked, and if present, must b...Currently, bridgedb/crypto.py function verifyHostname uses the certificate's commonName exclusively to perform a hostname match.
RFC 5280 demands that the presence of the subjectAltName (SAN) extension is checked, and if present, must be used to perform the hostname check.
verifyHostname should be changed to use subjectAltName. Only fall back to check common name if SAN is missing.
If an existing, more complete implementation of hostname verification can be found, it might be preferable to use it.
**Trac**:
**Username**: kaieArmin HuremagicArmin Huremagichttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/27850Provide stand-alone snowflake proxy for 32-bit2020-06-27T13:40:35ZtraumschuleProvide stand-alone snowflake proxy for 32-bitI tried [[doc/Snowflake#Option2standalone]] and ran into
```
~/go/src/git.torproject.org/pluggable-transports/snowflake/proxy-go$ torsocks go get ...I tried [[doc/Snowflake#Option2standalone]] and ran into
```
~/go/src/git.torproject.org/pluggable-transports/snowflake/proxy-go$ torsocks go get
# github.com/keroserene/go-webrtc
/usr/bin/ld: cannot find -lwebrtc-linux-386-magic
collect2: error: ld returned 1 exit status
```
https://github.com/keroserene/go-webrtc/issues/38David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/27827Reproducibility issue of the snowflake osx64 build2020-06-27T13:40:35ZboklmReproducibility issue of the snowflake osx64 buildThe build of Snowflake for MacOS is often producing the same result, but not always.
Arthur has been rebuilding Snowflake 8 times, with 4 different results:
https://gist.github.com/arthuredelstein/73860df088c565ea0b2ca6eef586063a
```
fi...The build of Snowflake for MacOS is often producing the same result, but not always.
Arthur has been rebuilding Snowflake 8 times, with 4 different results:
https://gist.github.com/arthuredelstein/73860df088c565ea0b2ca6eef586063a
```
fish script:
for x in (seq 8)
rm out/snowflake/snowflake-6077141f4aff-osx-x86_64-3b578d.tar.gz
./rbm/rbm build snowflake --target alpha --target torbrowser-osx-x86_64
tar xvf out/snowflake/snowflake-6077141f4aff-osx-x86_64-3b578d.tar.gz
echo (sha256sum ./Contents/MacOS/Tor/PluggableTransports/snowflake-client
end
Results:
b060b42cfd0c8fb2781dbb0fd45d42804dbb414473fec0597d9c2fb7d6d12aa8 ./Contents/MacOS/Tor/PluggableTransports/snowflake-client
1ee0dd2a0b228988e22c663d62b696b23a6ac48dc742a57dfa8f854aa3992bc3 ./Contents/MacOS/Tor/PluggableTransports/snowflake-client
22557c38d913e478e480dd3581efc00019fe2989c4273d9207f1719c34b6e399 ./Contents/MacOS/Tor/PluggableTransports/snowflake-client
22557c38d913e478e480dd3581efc00019fe2989c4273d9207f1719c34b6e399 ./Contents/MacOS/Tor/PluggableTransports/snowflake-client
1ee0dd2a0b228988e22c663d62b696b23a6ac48dc742a57dfa8f854aa3992bc3 ./Contents/MacOS/Tor/PluggableTransports/snowflake-client
1ee0dd2a0b228988e22c663d62b696b23a6ac48dc742a57dfa8f854aa3992bc3 ./Contents/MacOS/Tor/PluggableTransports/snowflake-client
1ee0dd2a0b228988e22c663d62b696b23a6ac48dc742a57dfa8f854aa3992bc3 ./Contents/MacOS/Tor/PluggableTransports/snowflake-client
6d008bc7d29e8543608491b67d4b11da7bd6589741d9f52ac5fd50dd39d84f29 ./Contents/MacOS/Tor/PluggableTransports/snowflake-client
```https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/27723Obfs4 stopped working 16 Sept 182020-06-27T13:43:39ZTracObfs4 stopped working 16 Sept 18I was using obfs4 on 15 Sept 18, but shortly after midnight, it stopped working, and I'm using azure. I assume that's the only thing that works when obfs4 fails.
**Trac**:
**Username**: mwolfeI was using obfs4 on 15 Sept 18, but shortly after midnight, it stopped working, and I'm using azure. I assume that's the only thing that works when obfs4 fails.
**Trac**:
**Username**: mwolfeDavid Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/27385https://snowflake.torproject.org/embed is confusing2022-07-09T04:20:15Zcypherpunkshttps://snowflake.torproject.org/embed is confusing`embed.html` should be the go to for embedding snowflake badges in webpages but it currently has a couple of problems,
1. No description, nothing to suggest to the lambda visitor about what to do.
2. Clicking on the badge redirects to ...`embed.html` should be the go to for embedding snowflake badges in webpages but it currently has a couple of problems,
1. No description, nothing to suggest to the lambda visitor about what to do.
2. Clicking on the badge redirects to the options page hosted in torproject.org, but this means that users who have first-party isolation manually enabled (as can be done in Firefox) won't be able to enable it on the page where embed.html is embedded.
Ideally what should be done is:
1. Small description ("Do you want to help censored users access the Tor network?") with a snowflake logo.
2. If user clicks on yes, then in that same iframe there's some JS check to see if WebRTC is disabled, if it is inform the user that WebRTC is necessary and perhaps add a link on how to enable it back.
3. If WebRTC is enabled, then load up snowflake.js and modernizr.js. Description should contain if the connection to the broker is done and is waiting for a client request, and if it is then maybe the logo should change as well as the description. (Since everything is done on the same page then there won't be any problems with first party isolation -- except with 3rd party cookies disabled)
Ideally it should be easy to embed into webpages if what's above is done, and should be small enough.
(cc'ing antonela of the ux-team for her opinions :)Sponsor 28: Reliable Anonymous Communication Evading Censors and Repressors (RACECAR)Arlo BreaultArlo Breaulthttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/trac/-/issues/26923Intent to create Pluggable Transport: HTTPS proxy2021-07-29T15:05:59ZTracIntent to create Pluggable Transport: HTTPS proxy# httpsproxy
HTTP CONNECT method is one of the standard ways to proxy internet traffic, which is used both in [HTTP/1.1](https://tools.ietf.org/html/rfc2616#section-9.9) and [HTTP/2](https://http2.github.io/http2-spec/#CONNECT). HTTPS tr...# httpsproxy
HTTP CONNECT method is one of the standard ways to proxy internet traffic, which is used both in [HTTP/1.1](https://tools.ietf.org/html/rfc2616#section-9.9) and [HTTP/2](https://http2.github.io/http2-spec/#CONNECT). HTTPS traffic is very popular on the web, and pluggable transports could benefit from this fact. There's very high collateral damage that would result from full HTTPS blocking, and it adds diversity to PTs’ shapes because most current PTs do not resemble HTTPS.
Usage of HTTPS proxies also helps with active probing: a proxy can be an actual web server that serves content, as opposed to circumvention technologies, that don't show any apparent collateral damage nor respond in any way, when probed. To a prober that doesn't have correct credentials, httpsproxy server can look like a real web server, if it is a real web server.
## Way to use it HTTPS proxies with Tor
### Naive proxy
Given correct credentials, user can request any standard forwardproxy on the web to connect to Tor. Client establishes TLS connection to the web proxy, and sends request in a form of
```
CONNECT 0.1.2.3:9001 HTTP/1.1
Host: 0.1.2.3
Proxy-Authorization: Basic dXNlcjpwYXNz
```
where 0.1.2.3:9001 is address of arbitrary vanilla Tor entry node. Web Server would establish tcp connection to this address and relay subsequent traffic to it.
Such an approach allows us to use a diverse set of standard proxies: a webproxy is easy to set up and does not need to speak Tor. However, the web proxy operator will likely want to whitelist Tor entrance nodes in order to prevent abuse. As such, they would benefit from talking to some sort of https-proxy-authority, which would provide an entrance node(s) to whitelist, and allow proxies to let Tor Project know that their servers could be used as a proxy.
While lack of server-side PT makes it easier to deploy, it also means we cannot collect metrics.
### Full Bridge
A full bridge runs a Tor entry node, a pluggable transport and an upstreaming frontend webserver. The upstreaming webserver would check credentials, and, instead of consuming CONNECT requests, it would upstream them into the pluggable transport ExtORPort, while also stapling client’s IP to it in a header. The PT would parse the IP from the HTTP request header, and pass it to ExtORPort, thus enabling metrics collection.
## Registering with BridgeDB
As it currently stands, bridges have to have an ORPort open to be registered with BridgeDB legacy/trac#7349
This leads to easy identification and blocking of bridges. However, we can still register bridge lines with BridgeDB, if we add an additional hop to an intermediate proxy before entering a bridge. A censor would only be able to observe the address of the intermediate proxy.
Having such a 2-hop setup is a natural property of Naive Proxy, as described above. Bridge line example:
```
httpsproxy [vanilla entry addr] [entry fingerprint] url=https://username:password@naiveproxy.org
```
We can use 2-hop approach with full bridges as well: the intermediate proxy would forward HTTP request (preferably with client IP in “Forwarded: for=IP:port” header). In this case, intermediate proxy just redirects all requests (as long as credentials are correct) to the chosen full bridge(s), which is essentially a reverse proxy -- a widely supported technology.
While the second hop adds overhead, there's a benefit in not requiring would-be proxy operators to run a full bridge, since configuration of a proxy now becomes substantially easier, and, ideally, would amount to adding a few lines to a web server config file and registering themselves w/ bridgeDB via some script. Not requiring them to install, configure and run both PT and Tor daemons may allow us to attract a bigger amount of volunteers for the entrance servers.
However it’s unclear which party and how would actually register the bridge line. Perhaps, a separate https-proxy-authority could do that (and provide web proxies with entries to use)
## Current prototype
Works with standard HTTP/1.1 and HTTP/2.0 proxies with both naive proxies and full bridges. If there's an interest in seeing current prototype, I would gladly share it, @dcf already created ticket for the repo creation legacy/trac#26793.
### Language
Both client and server are implemented in Golang. Relatively safe, cross-platform language.
### Overhead
Bandwidth overhead depends on aggressiveness of padding, but I would not expect goodput to drop below 80%, especially for high-bandwidth workloads, which should mostly consist of MTU-sized packets. Detailed evaluation would be done after padding is implemented.
Computational overhead amounts to TLS handshake per flow plus the usual connection management.
## Fingerprinting
Running a real web server helps, however there are multiple potential fingerprintabilities. Those include:
### Probing web server with proxy requests without a secret
By default, web servers with this sort of forward proxying enabled will respond to unauthenticated proxy requests with “407 Proxy Authentication Required”, whereas a web server without forwardproxying enabled will respond differently, stating that it's not a proxy and doesn't want your CONNECT requests.
It would be beneficial to hide the fact of proxying (although note that this doesn't give out proxy as a Tor proxy, just that forward proxying is enabled). This feature is already supported by [Caddy web server](https://github.com/caddyserver/forwardproxy/blob/master/README.md#caddyfile-syntax-server-configuration) (see "probe_resistance" option), which is used for the current implementation.
### TLS ClientHello fingerprinting
meek has been blocked before based on its TLS ClientHello at least twice. There is a library called [utls](https://github.com/refraction-networking/utls) that provides the ability to mimic arbitrary ClientHello messages. It uses real world data from https://tlsfingerprint.io/ to learn what it should mimic based on provided collateral damage, and allows developers to confirm the correctness of their mimicking. In the event of any particular "fingerprint" being blocked or incorrectly mimicked, this transport would use multiple "fingerprints" and cycle through them until an unblocked one is found.
### Other TLS fingerprinting
Evaluation of other TLS handshake messages and TLS records, and how they may differ from mimicked implementations remains a TODO.
### Traffic Size Patterns
The current prototype doesn't use padding yet, and traces generated by it look extremely fingerprintable by constantly generating packets of size CELL_SIZE * N + constant overhead.
We intend to address this problem shortly by splitting and padding http/2 frames to resemble common web traffic.
There is no standard way to pad http/1.1 that will work with standard web proxies, but we can probably split the cells.
### Connection establishment traffic patterns
This is especially relevant to 2-hop approaches: the client might have to wait for the first response for a long time, while the proxy establishes connection. This is an issue for many proxies, which is also possible to solve, just noting it requires attention and solution.
### Connection lifetime
Being connected to the same server for prolonged periods of time (HTTPS tunnel may work fine for hours, if not days) could be a distinguishing feature. Client should redial at least once an hour. TODO
**Trac**:
**Username**: sfhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/26891Problem running meek server without CDN, stuck at Performing bandwidth self-t...2023-08-01T19:36:47ZTracProblem running meek server without CDN, stuck at Performing bandwidth self-test...done**I am trying to run a meek server, and this is what I have done for the test:**
I have a domain (for example, call it example.com) and I manually applied for Let's Encrypt SSL certificate, so I can visit the website through https://exa...**I am trying to run a meek server, and this is what I have done for the test:**
I have a domain (for example, call it example.com) and I manually applied for Let's Encrypt SSL certificate, so I can visit the website through https://example.com.
**Here is the torrc:**
BridgeRelay 1
ORPort 9001
ExtORPort auto
SocksPort 0
ExitPolicy reject *:*
ServerTransportListenAddr meek 0.0.0.0:443
ServerTransportPlugin meek exec /usr/local/bin/meek-server --cert /etc/letsencrypt/live/example.com/fullchain.pem --key /etc/letsencrypt/live/example.com/privkey.pem --log /var/log/tor/meek-server.log
**However, when I enter "tor -f torrc", it stuck here:**
Jul 20 15:29:53.566 [notice] Tor 0.3.2.10 (git-0edaa32732ec8930) running on Linux with Libevent 2.1.8-stable, OpenSSL 1.0.2g, Zlib 1.2.11, Liblzma 5.2.2, and Libzstd 1.3.1.
Jul 20 15:29:53.567 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jul 20 15:29:53.567 [notice] Read configuration file "/xxx/torrc".
Jul 20 15:29:53.574 [notice] Your ContactInfo config option is not set. Please consider setting it, so we can contact you if your server is misconfigured or something else goes wrong.
Jul 20 15:29:53.574 [notice] Based on detected system memory, MaxMemInQueues is set to 739 MB. You can override this by setting MaxMemInQueues by hand.
Jul 20 15:29:53.576 [notice] Scheduler type KIST has been enabled.
Jul 20 15:29:53.576 [notice] Opening OR listener on 0.0.0.0:9001
Jul 20 15:29:53.576 [notice] Opening Extended OR listener on 127.0.0.1:0
Jul 20 15:29:53.577 [notice] Extended OR listener listening on port 40651.
Jul 20 15:29:54.000 [warn] Failed to open GEOIP file /usr/share/tor/geoip. We've been configured to see which countries can access us as a bridge, and we need GEOIP information to tell which countries clients are in. Do you have the tor-geoipdb package installed?
Jul 20 15:29:54.000 [warn] Failed to open GEOIP file /usr/share/tor/geoip6. We've been configured to see which countries can access us as a bridge, and we need GEOIP information to tell which countries clients are in. Do you have the tor-geoipdb package installed?
Jul 20 15:29:54.000 [notice] Configured to measure directory request statistics, but no GeoIP database found. Please specify a GeoIP database using the GeoIPFile option.
Jul 20 15:29:54.000 [warn] You are running Tor as root. You don't need to, and you probably shouldn't.
Jul 20 15:29:56.000 [notice] Your Tor server's identity key fingerprint is 'Unnamed E8094BFxxxxxxxxxx5C1E'
Jul 20 15:29:56.000 [notice] Your Tor bridge's hashed identity key fingerprint is 'Unnamed BBAA6xxxxxxxxxAA811B'
Jul 20 15:29:56.000 [notice] Bootstrapped 0%: Starting
Jul 20 15:30:03.000 [notice] Starting with guard context "default"
Jul 20 15:30:03.000 [notice] Bootstrapped 80%: Connecting to the Tor network
Jul 20 15:30:03.000 [notice] Bootstrapped 85%: Finishing handshake with first hop
Jul 20 15:30:04.000 [warn] Server managed proxy encountered a method error. (meek listen tcp 0.0.0.0:443: bind: address already in use)
Jul 20 15:30:04.000 [warn] Managed proxy at '/usr/local/bin/meek-server' failed the configuration protocol and will be destroyed.
Jul 20 15:30:04.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Jul 20 15:30:06.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Jul 20 15:30:06.000 [notice] Bootstrapped 100%: Done
Jul 20 15:30:06.000 [notice] Now checking whether ORPort 45.xxx.xxx.xxx:9001 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
Jul 20 15:30:09.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Jul 20 15:31:14.000 [notice] Your network connection speed appears to have changed. Resetting timeout to 60s after 18 timeouts and 442 buildtimes.
Jul 20 15:31:20.000 [notice] Performing bandwidth self-test...done.
**And then it has no output and seems not working. Besides the above one, once I also got the output:**
...
Jul 20 08:24:27.000 [notice] Performing bandwidth self-test...done.
Jul 20 09:23:17.000 [notice] No circuits are opened. Relaxed timeout for circuit 30 (a Measuring circuit timeout 3-hop circuit in state doing handshakes with channel state open) to 60000ms. However, it appears the circuit has timed out anyway.
**What's wrong with my steps in setting the meek server? What should I do next to set up a meek server, either for use or for test?
Must I use CDN to domain fronting it?**
By the way, is it possible to use meek without domain fronting if the domain has not been filtered?
May be I misunderstood something in https://trac.torproject.org/projects/tor/wiki/doc/meek#Howtorunameek-serverbridge and meek's README and I am sorry for that.
**Trac**:
**Username**: weiruoDavid Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/26807Venezuela blocks access to the Tor network2021-07-09T18:29:19ZTracVenezuela blocks access to the Tor networkhttps://www.accessnow.org/venezuela-blocks-tor/
> Access Now’s partners have confirmed that the Tor network — a widely used tool allowing users to browse the internet anonymously — was blocked in Venezuela last week over the government-o...https://www.accessnow.org/venezuela-blocks-tor/
> Access Now’s partners have confirmed that the Tor network — a widely used tool allowing users to browse the internet anonymously — was blocked in Venezuela last week over the government-owned internet service provider CANTV, by far the largest ISP in the country.
> “It seems that the government of Venezuela has found out how to do a very sophisticated block for the Tor network. It’s not only on the direct access channels, but also the bridges Tor provides to bypass that blocking,” said Melanio Escobar, Venezuelan technologist and journalist, and founder of Redes Ayuda.
**Trac**:
**Username**: ptdetectorDavid Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/26783Snowflake statistics appear to be broken from something plus mid-June2020-06-27T13:40:36ZTracSnowflake statistics appear to be broken from something plus mid-Junehttps://metrics.torproject.org/userstats-bridge-transport.html?start=2018-04-14&end=2018-07-13&transport=snowflake
**Trac**:
**Username**: TracTorProjectSucksRightNowhttps://metrics.torproject.org/userstats-bridge-transport.html?start=2018-04-14&end=2018-07-13&transport=snowflake
**Trac**:
**Username**: TracTorProjectSucksRightNowhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/26661snowflake.bamsoftware.com is down?2020-06-27T13:40:36Zcypherpunkssnowflake.bamsoftware.com is down?```
2018/07/06 04:58:45 error dialing relay: websocket.Dial wss://snowflake.bamsoftware.com/?client_ip=207.226.244.123: dial tcp [2a00:c6c0:0:151:4:8f94:69f5:7c01]:443: connect: connection refused
``````
2018/07/06 04:58:45 error dialing relay: websocket.Dial wss://snowflake.bamsoftware.com/?client_ip=207.226.244.123: dial tcp [2a00:c6c0:0:151:4:8f94:69f5:7c01]:443: connect: connection refused
```https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/26652Snowflake bootstrap fails2020-06-27T13:40:36ZcypherpunksSnowflake bootstrap failshttps://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/26543Provide a language switcher menu on BridgeDB2021-07-01T17:47:15ZteorProvide a language switcher menu on BridgeDB"As a side note, that page always loads in my native language with no way to switch to English -- pages which do this are the worst. In this case it means I can't usefully copy-paste you the exact error messages that I get."
https://lis..."As a side note, that page always loads in my native language with no way to switch to English -- pages which do this are the worst. In this case it means I can't usefully copy-paste you the exact error messages that I get."
https://lists.torproject.org/pipermail/tor-relays/2018-June/015512.htmlPhilipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/26542Distribute IPv6 bridges through bridges.torproject.org2020-06-27T13:42:53ZteorDistribute IPv6 bridges through bridges.torproject.orgA relay operator can't find any IPv6 bridges on bridges.torproject.org:
https://lists.torproject.org/pipermail/tor-relays/2018-June/015512.html
Perhaps this is a bridge authority or BridgeDB issue.A relay operator can't find any IPv6 bridges on bridges.torproject.org:
https://lists.torproject.org/pipermail/tor-relays/2018-June/015512.html
Perhaps this is a bridge authority or BridgeDB issue.Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/26389Remove `handlerChan`, shut down immediately on SIGTERM2020-06-27T13:44:13ZcypherpunksRemove `handlerChan`, shut down immediately on SIGTERMDavid Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/26348Guard against large reads2020-06-27T13:40:36ZDavid Fifielddcf@torproject.orgGuard against large readsSnowflake code calls ioutil.ReadAll from a socket/HTTP in many places in the code: [1](https://gitweb.torproject.org/pluggable-transports/snowflake.git/tree/broker/broker.go?id=25b304a9a856f8c791882ad523df26ffc8fa629c#n123) [2](https://g...Snowflake code calls ioutil.ReadAll from a socket/HTTP in many places in the code: [1](https://gitweb.torproject.org/pluggable-transports/snowflake.git/tree/broker/broker.go?id=25b304a9a856f8c791882ad523df26ffc8fa629c#n123) [2](https://gitweb.torproject.org/pluggable-transports/snowflake.git/tree/broker/broker.go?id=25b304a9a856f8c791882ad523df26ffc8fa629c#n153) [3](https://gitweb.torproject.org/pluggable-transports/snowflake.git/tree/broker/broker.go?id=25b304a9a856f8c791882ad523df26ffc8fa629c#n200) [4](https://gitweb.torproject.org/pluggable-transports/snowflake.git/tree/client/rendezvous.go?id=25b304a9a856f8c791882ad523df26ffc8fa629c#n100) [5](https://gitweb.torproject.org/pluggable-transports/snowflake.git/tree/proxy-go/snowflake.go?id=25b304a9a856f8c791882ad523df26ffc8fa629c#n160).
These should all get an [io.LimitReader](https://golang.org/pkg/io/#LimitReader) or [http.MaxBytesReader](https://golang.org/pkg/net/http/#MaxBytesReader) with a limit of 100 KB or so. Like [this one](https://gitweb.torproject.org/pluggable-transports/snowflake.git/tree/server-webrtc/http.go?id=25b304a9a856f8c791882ad523df26ffc8fa629c#n40):
```
body, err := ioutil.ReadAll(http.MaxBytesReader(w, req.Body, 100000))
if err != nil {
http.Error(w, "Bad request.", http.StatusBadRequest)
return
}
```Cecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/26241Check meek TLS fingerprint on ESR 602022-07-25T22:20:06ZDavid Fifielddcf@torproject.orgCheck meek TLS fingerprint on ESR 60legacy/trac#22515 previous ticket for ESR 52.
https://lists.torproject.org/pipermail/tbb-dev/2018-May/000849.html
http://f4amtbsowhix7rrf.onion/tor-browser-builds/legacy/trac#22515 previous ticket for ESR 52.
https://lists.torproject.org/pipermail/tbb-dev/2018-May/000849.html
http://f4amtbsowhix7rrf.onion/tor-browser-builds/David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/26154Remove apt-get update from BridgeDB's .travis.yml to avoid SHA1 signature error2020-06-27T13:42:53ZIsis LovecruftRemove apt-get update from BridgeDB's .travis.yml to avoid SHA1 signature errore.g. https://travis-ci.org/isislovecruft/bridgedb/jobs/381817517#L574e.g. https://travis-ci.org/isislovecruft/bridgedb/jobs/381817517#L574Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/26151Snowflake rendezvous using Amazon SQS2024-02-14T16:33:43ZDavid Fifielddcf@torproject.orgSnowflake rendezvous using Amazon SQSNathan Freitas suggests using [Amazon Simple Queue Service](https://en.wikipedia.org/wiki/Amazon_Simple_Queue_Service) for exchanging rendezvous messages. "It supports programmatic sending of messages via web service applications as a wa...Nathan Freitas suggests using [Amazon Simple Queue Service](https://en.wikipedia.org/wiki/Amazon_Simple_Queue_Service) for exchanging rendezvous messages. "It supports programmatic sending of messages via web service applications as a way to communicate over the Internet."
It looks like messages are relayed through URLs like
https://queue.amazonaws.com/
https://sqs.us-east-1.amazonaws.com/
https://sqs.us-east-2.amazonaws.com/
etc.
[Here is an example of a SendMessage call](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-making-api-requests.html):
!https://sqs.us-east-2.amazonaws.com/123456789012/MyQueue?Action=SendMessage&MessageBody=Your%20message%20text&Version=2012-11-05&AUTHPARAMS
There's a [command-line interface](https://docs.aws.amazon.com/cli/latest/reference/sqs/index.html).
I'm not sure how you would send a message back to the client, and have it match up with the message the client sent initially. Maybe a separate queue per client?